Research On Information Assurance Metrics And Comprehensive Evaluation

With the rapid development of science and technology and widespreadapplication of information technology, nation and society is becoming increasinglydependent on information sectors and Information Security is an indispensable partof national security. However, due to its ever-growing complexity andinterconnection of insecure devices to network, information systems are morevulnerable. The security level of information systems can not be evaluated thoughsome appropriate security methods are approached. Therefore how to measure thesecurity level of such systems are drawing many attention in recent years.Information assurance metrics is such a method. According to findings from relevantdepartments, many countries such as America and Russia have been doing researchon comprehensive evaluation on it. Similar researches have also been conducted inour country at the same pace of other countries. The main objective of this paper isto construct a set of comprehensive IA indicators based on IA metrics taxonomy.At first we introduce the definition of information security and classify theconcept into three categories of information security,information system securityand security of information content, which have different meanings. In this paper weonly consider two former parts and study the Confidentiality,Integrity,Availability,Authenticity Non-repudiation,Invulnerability,Survivability,Availability of thesystem.A comparative analysis of current measurement standards and methods ofInformation Security is given in this paper and at the same time we review themeasurement methods of information security. Although they have still their ownrestrictions and limitations and a general definition of Information Security metrics and formulate theory of security metrics has not yet to reach, they provide with arelatively complete framework of definition for its research as well as the basis ofboth theory and technology on which IA comprehensive evaluation architecture is tobe established.Classification is the primary work of IA metrics architecture, through whichlogic groups of IA metrics and the relationship between them are given. In this paper,Information assurance are regarded as a multidimensional system, and in line withthe reality of our country a IA metrics classification model comprised of threeelements of technology, management and strategy is proposed. And then based onthe model an IA comprehensive evaluation indicators system with multi-targets isestablished to analyze static assurance measures of information and informationsystem, dynamic assurance ability and assurance effects. The evaluation of the staticmeasurements is mainly considered from the dimension of elements of technology,management and strategy while that of dynamic process mainly from the dimensionof capabilities in warning, protecting,detecting,responding,recovering andcounter-attack etc.The evaluation of state effect is considered from the dimension ofsecurity property as well the benefit evaluation of information assuranceconstruction. Finally the gross trend of IA, the relations of security withdevelopment and effectiveness are reflected by this indicator system. At the sametime a method of indicator system based on objective-driven is proposed in whichthe sub-indicators are profoundly analyzed and elaborated.Evaluation method is very important. Combing with the fuzzyness anduncertainty of IA, a AHP-FUZZY comprehensive evaluation method of IA metricsis proposed and a project example is given to verify its effectiveness. Baselineevaluated theory is also given.The baseline of information system is the minimumguarantee of system security which can give different security level for differentsecurity baseline to protect the system and reduce cost. In this paper we propose abaseline constructing model and give an example to show the procedure ofcomprehensive evaluation. It can be predicted that IA metrics will attract more and more attentions aspeople become more dependent on information technology. This paper gives amethod to construct IA comprehensive evaluation indicator system and try to dosome work on analysis and evaluation of IA progress.